[Security][9.x] Add 'search.allow_expensive_queries' to detections-requirements.md (elastic#3543)

## Summary

De-facto requirement of Security Detections, (and much of Kibana) that
has not been documented properly.

```
# elasticsearch.yml

search.allow_expensive_queries=false    # <=== causes errors across Kibana 🤯
```

Errors go as far back as `v8.18` (but likely much further), and not only
affect Security app, but also many `Server Management` features such as
Fleet, Saved Objects, Tags, etc.

For more info: elastic/kibana#237496 -> Section
**`Risks that were found acceptable`**

We're documenting it [under the correct
location](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-requirements)
to make sure that users know about it. There is an [internal slack
thread](https://elastic.slack.com/archives/C02HA9E8221/p1760694975799469)
for discussion.

Note also that this is documented as a [requirement of the 'alerting'
plugin](https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/alerting-setup#alerting-prerequisites)
that we're using under the hood.

<img width="800" alt="image"
src="https://github.com/user-attachments/assets/512b57ed-d8e3-454b-a132-1776826d4a86"
/>

---------

Co-authored-by: Georgii Gorbachev <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>

Author: 3 people

solutions/security/detect-and-alert/detections-requirements.md

@@ -28,11 +28,16 @@ stack:
 These steps are only required for **self-managed** deployments:
 
 * HTTPS must be configured for communication between [{{es}} and {{kib}}](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-http).
-* In the `elasticsearch.yml` configuration file, set the `xpack.security.enabled` setting to `true`. For more information, refer to [Configuring {{es}}](/deploy-manage/deploy/self-managed/configure-elasticsearch.md) and [Security settings in {{es}}](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md).
-* In [`kibana.yml`](/deploy-manage/stack-settings.md), add the `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value of at least 32 characters. For example:
+* In [`kibana.yml`](/deploy-manage/stack-settings.md):
+
+  Add the `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value of at least 32 characters. For example:
 
     `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'`
 
+* In [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md):
+    * Set the `xpack.security.enabled` setting to `true`. Refer to [General security settings](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#general-security-settings) for more information.
+    * If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the `elasticsearch.yml` file, you don't need to make changes. This setting must be `true` for key detection features, such as [alerting rules](/explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-prerequisites) and rule exceptions, to work.
+
 
 ::::{important}
 After changing the `xpack.encryptedSavedObjects.encryptionKey` value and restarting {{kib}}, you must restart all detection rules.